Compliance
Track compliance posture across security frameworks
/v1/comply/frameworksList available frameworks
Retrieve the list of supported compliance frameworks. Each framework contains a set of controls that are mapped to vulnerability findings. Use framework IDs when querying posture and assessment endpoints.
Example Request
curl -X GET "https://apviso.com/api/v1/v1/comply/frameworks" \
-H "X-API-Key: apvk_your_key_here"Response
Returns the list of all supported compliance frameworks with their control counts and categories.
{
"frameworks": [
{
"id": "owasp-top-10-2021",
"name": "OWASP Top 10 (2021)",
"description": "The OWASP Top 10 is a standard awareness document for developers and web application security, representing the most critical security risks to web applications.",
"version": "2021",
"controlCount": 10,
"category": "application_security"
},
{
"id": "pci-dss-4",
"name": "PCI DSS v4.0",
"description": "Payment Card Industry Data Security Standard for organizations that handle credit card data.",
"version": "4.0",
"controlCount": 64,
"category": "data_security"
},
{
"id": "soc2-type2",
"name": "SOC 2 Type II",
"description": "Service Organization Control 2 trust service criteria for security, availability, processing integrity, confidentiality, and privacy.",
"version": "2017",
"controlCount": 42,
"category": "governance"
},
{
"id": "iso-27001-2022",
"name": "ISO 27001:2022",
"description": "International standard for information security management systems (ISMS).",
"version": "2022",
"controlCount": 93,
"category": "governance"
},
{
"id": "nist-csf-2",
"name": "NIST CSF 2.0",
"description": "NIST Cybersecurity Framework providing guidelines for managing cybersecurity risk.",
"version": "2.0",
"controlCount": 106,
"category": "governance"
},
{
"id": "cis-controls-8",
"name": "CIS Controls v8",
"description": "Center for Internet Security prioritized set of actions to protect organizations from known cyber attack vectors.",
"version": "8",
"controlCount": 153,
"category": "technical_controls"
}
]
}/v1/comply/overviewGet compliance overview
Retrieve a high-level compliance overview across all your targets. Shows the aggregate posture score for each framework based on the latest scan results. Useful for executive dashboards and portfolio-level compliance tracking.
Example Request
curl -X GET "https://apviso.com/api/v1/v1/comply/overview" \
-H "X-API-Key: apvk_your_key_here"Response
Returns an aggregate compliance overview with per-framework scores (0-100), passing control counts, and critical gap counts.
{
"overallScore": 72,
"targetCount": 2,
"lastComputedAt": "2026-04-10T11:10:00Z",
"frameworks": [
{
"frameworkId": "owasp-top-10-2021",
"name": "OWASP Top 10 (2021)",
"score": 65,
"passingControls": 6,
"totalControls": 10,
"criticalGaps": 2
},
{
"frameworkId": "pci-dss-4",
"name": "PCI DSS v4.0",
"score": 78,
"passingControls": 50,
"totalControls": 64,
"criticalGaps": 3
},
{
"frameworkId": "soc2-type2",
"name": "SOC 2 Type II",
"score": 74,
"passingControls": 31,
"totalControls": 42,
"criticalGaps": 1
}
]
}/v1/comply/targets/:targetId/postureGet posture snapshot
Retrieve the current compliance posture for a specific target. Shows per-framework scores and control status based on the most recent scan results.
Path Parameters
| Name | Type | Description |
|---|---|---|
targetIdrequired | string | Target ID (UUIDv7) |
Example Request
curl -X GET "https://apviso.com/api/v1/v1/comply/targets/:targetId/posture" \
-H "X-API-Key: apvk_your_key_here"Response
Returns the compliance posture for the target with per-framework scores, status labels (compliant, needs_improvement, at_risk, non_compliant), and control breakdowns.
{
"targetId": "019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b",
"domain": "example.com",
"overallScore": 68,
"computedAt": "2026-04-10T11:10:00Z",
"basedOnScanId": "019414c3-d5e6-7f8a-b9c0-1d2e3f4a5b6c",
"frameworks": [
{
"frameworkId": "owasp-top-10-2021",
"name": "OWASP Top 10 (2021)",
"score": 60,
"status": "at_risk",
"controls": {
"passing": 5,
"failing": 3,
"notApplicable": 2,
"total": 10
}
},
{
"frameworkId": "pci-dss-4",
"name": "PCI DSS v4.0",
"score": 75,
"status": "needs_improvement",
"controls": {
"passing": 48,
"failing": 12,
"notApplicable": 4,
"total": 64
}
}
]
}/v1/comply/targets/:targetId/posture/computeCompute/refresh posture
Trigger a recomputation of the compliance posture for a target based on the latest scan findings. Posture is normally computed automatically after each scan completes, but you can use this endpoint to force a refresh after updating finding statuses (e.g., marking findings as false positives).
Path Parameters
| Name | Type | Description |
|---|---|---|
targetIdrequired | string | Target ID (UUIDv7) |
Example Request
curl -X POST "https://apviso.com/api/v1/v1/comply/targets/:targetId/posture/compute" \
-H "X-API-Key: apvk_your_key_here"Response
Returns a confirmation that the posture computation has been initiated. The computation runs asynchronously. Poll the posture endpoint to retrieve updated results.
{
"targetId": "019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b",
"status": "computing",
"estimatedReadyAt": "2026-04-10T17:02:00Z",
"message": "Posture computation started. Results will be available shortly."
}/v1/comply/targets/:targetId/posture/historyGet posture history
Retrieve historical compliance posture scores for a target over a specified number of days. Use this to track compliance trends and measure improvement over time.
Path Parameters
| Name | Type | Description |
|---|---|---|
targetIdrequired | string | Target ID (UUIDv7) |
Query Parameters
| Name | Type | Description |
|---|---|---|
days | numberDefault: 30 | Number of days of history to retrieve (max 365) |
Example Request
curl -X GET "https://apviso.com/api/v1/v1/comply/targets/:targetId/posture/history" \
-H "X-API-Key: apvk_your_key_here"Response
Returns an array of posture snapshots over the requested time period, with per-framework scores at each data point. One snapshot per scan that occurred in the period.
{
"targetId": "019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b",
"domain": "example.com",
"period": {
"start": "2026-03-11T00:00:00Z",
"end": "2026-04-10T23:59:59Z"
},
"snapshots": [
{
"date": "2026-03-15",
"overallScore": 45,
"frameworks": {
"owasp-top-10-2021": 40,
"pci-dss-4": 52
}
},
{
"date": "2026-03-22",
"overallScore": 52,
"frameworks": {
"owasp-top-10-2021": 50,
"pci-dss-4": 58
}
},
{
"date": "2026-04-01",
"overallScore": 61,
"frameworks": {
"owasp-top-10-2021": 55,
"pci-dss-4": 68
}
},
{
"date": "2026-04-10",
"overallScore": 68,
"frameworks": {
"owasp-top-10-2021": 60,
"pci-dss-4": 75
}
}
]
}/v1/comply/targets/:targetId/assessmentsGet control assessments
Retrieve compliance control assessments for a target. Each assessment shows whether a framework control is passing, failing, or not applicable based on scan findings. Optionally filter by framework.
Path Parameters
| Name | Type | Description |
|---|---|---|
targetIdrequired | string | Target ID (UUIDv7) |
Query Parameters
| Name | Type | Description |
|---|---|---|
frameworkId | string | Filter by framework ID. If omitted, returns assessments for all frameworks |
Example Request
curl -X GET "https://apviso.com/api/v1/v1/comply/targets/:targetId/assessments" \
-H "X-API-Key: apvk_your_key_here"Response
Returns per-framework control assessments with the number of linked findings and the highest severity finding for each failing control.
{
"targetId": "019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b",
"assessments": [
{
"frameworkId": "owasp-top-10-2021",
"frameworkName": "OWASP Top 10 (2021)",
"controls": [
{
"controlId": "A01",
"name": "Broken Access Control",
"status": "failing",
"findingsCount": 2,
"highestSeverity": "high"
},
{
"controlId": "A02",
"name": "Cryptographic Failures",
"status": "passing",
"findingsCount": 0,
"highestSeverity": null
},
{
"controlId": "A03",
"name": "Injection",
"status": "failing",
"findingsCount": 1,
"highestSeverity": "critical"
}
]
}
]
}/v1/comply/targets/:targetId/assessments/:frameworkId/controlsGet controls with findings
Retrieve detailed control information for a specific framework, including the mapped findings for each control. This provides the deep-dive view for understanding which vulnerabilities affect which compliance requirements.
Path Parameters
| Name | Type | Description |
|---|---|---|
targetIdrequired | string | Target ID (UUIDv7) |
frameworkIdrequired | string | Framework ID (e.g. "owasp-top-10-2021") |
Example Request
curl -X GET "https://apviso.com/api/v1/v1/comply/targets/:targetId/assessments/:frameworkId/controls" \
-H "X-API-Key: apvk_your_key_here"Response
Returns all controls for the specified framework with their assessment status and linked findings. Each finding includes its severity, user-assigned status, and parent scan ID.
{
"frameworkId": "owasp-top-10-2021",
"frameworkName": "OWASP Top 10 (2021)",
"controls": [
{
"controlId": "A03",
"name": "Injection",
"description": "An application is vulnerable to injection when user-supplied data is not validated, filtered, or sanitized by the application.",
"status": "failing",
"findings": [
{
"id": "019414c8-a1b2-7c3d-e4f5-6a7b8c9d0e1f",
"title": "SQL Injection in /api/users endpoint",
"severity": "critical",
"userStatus": "open",
"scanId": "019414c3-d5e6-7f8a-b9c0-1d2e3f4a5b6c"
}
]
},
{
"controlId": "A01",
"name": "Broken Access Control",
"description": "Access control enforces policy such that users cannot act outside of their intended permissions.",
"status": "failing",
"findings": [
{
"id": "019414ca-c3d4-7e5f-a6b7-8c9d0e1f2a3b",
"title": "IDOR allows accessing other users' orders via /api/orders/:id",
"severity": "high",
"userStatus": "in_progress",
"scanId": "019414c3-d5e6-7f8a-b9c0-1d2e3f4a5b6c"
},
{
"id": "019414cb-d4e5-7f6a-b7c8-9d0e1f2a3b4c",
"title": "Missing function-level access control on admin endpoints",
"severity": "high",
"userStatus": "open",
"scanId": "019414c3-d5e6-7f8a-b9c0-1d2e3f4a5b6c"
}
]
},
{
"controlId": "A02",
"name": "Cryptographic Failures",
"description": "Failures related to cryptography which often lead to exposure of sensitive data.",
"status": "passing",
"findings": []
}
]
}/v1/comply/targets/:targetId/remediationGet remediation velocity
Retrieve remediation velocity metrics for a target, showing how quickly vulnerabilities are being resolved over a given time period. Includes mean time to remediate (MTTR) by severity and trend data.
Path Parameters
| Name | Type | Description |
|---|---|---|
targetIdrequired | string | Target ID (UUIDv7) |
Query Parameters
| Name | Type | Description |
|---|---|---|
days | numberDefault: 30 | Number of days to analyze (max 365) |
Example Request
curl -X GET "https://apviso.com/api/v1/v1/comply/targets/:targetId/remediation" \
-H "X-API-Key: apvk_your_key_here"Response
Returns remediation velocity metrics including overall resolution rate, mean time to remediate (MTTR) broken down by severity with trend indicators, and weekly opened vs. resolved counts.
{
"targetId": "019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b",
"domain": "example.com",
"period": {
"start": "2026-03-11T00:00:00Z",
"end": "2026-04-10T23:59:59Z"
},
"summary": {
"totalFindings": 42,
"resolved": 28,
"open": 14,
"resolutionRate": 66.7
},
"mttr": {
"overall": {
"hours": 72,
"trend": "improving"
},
"critical": {
"hours": 8,
"trend": "stable"
},
"high": {
"hours": 36,
"trend": "improving"
},
"medium": {
"hours": 120,
"trend": "improving"
},
"low": {
"hours": 240,
"trend": "stable"
}
},
"weekly": [
{
"week": "2026-03-11",
"opened": 15,
"resolved": 5,
"netChange": 10
},
{
"week": "2026-03-18",
"opened": 8,
"resolved": 8,
"netChange": 0
},
{
"week": "2026-03-25",
"opened": 12,
"resolved": 10,
"netChange": 2
},
{
"week": "2026-04-01",
"opened": 7,
"resolved": 5,
"netChange": 2
}
]
}/v1/comply/targets/:targetId/exportExport compliance report
Generate and download a compliance report for a target in PDF, CSV, or JSON format. The report includes framework posture, control assessments, linked findings, and remediation guidance. Optionally scope the report to a single framework.
Path Parameters
| Name | Type | Description |
|---|---|---|
targetIdrequired | string | Target ID (UUIDv7) |
Request Body
| Name | Type | Description |
|---|---|---|
frameworkId | string | Limit the report to a specific framework. If omitted, all frameworks are included |
formatrequired | stringpdfcsvjson | Export file format |
Example Request
curl -X POST "https://apviso.com/api/v1/v1/comply/targets/:targetId/export" \
-H "X-API-Key: apvk_your_key_here" \
-H "Content-Type: application/json" \
-d '{
"frameworkId": "owasp-top-10-2021",
"format": "pdf"
}'Response
Returns the export job status with a download URL. For JSON and CSV formats, the response may be immediate. For PDF, the generation is asynchronous and requires polling the download URL.
{
"exportId": "019414f0-a1b2-7c3d-e4f5-6a7b8c9d0e1f",
"status": "generating",
"format": "pdf",
"frameworkId": "owasp-top-10-2021",
"estimatedReadyAt": "2026-04-10T17:12:00Z",
"downloadUrl": "/v1/comply/exports/019414f0-a1b2-7c3d-e4f5-6a7b8c9d0e1f/download"
}/v1/comply/targets/:targetId/badgeGet trust badge config
Retrieve the trust badge configuration for a target. Trust badges are embeddable widgets that display your compliance status on your website, building trust with visitors and customers.
Path Parameters
| Name | Type | Description |
|---|---|---|
targetIdrequired | string | Target ID (UUIDv7) |
Example Request
curl -X GET "https://apviso.com/api/v1/v1/comply/targets/:targetId/badge" \
-H "X-API-Key: apvk_your_key_here"Response
Returns the trust badge configuration including the public badge URL, embeddable HTML code, style settings, and selected frameworks to display.
{
"targetId": "019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b",
"enabled": true,
"badgeUrl": "https://apviso.com/badge/019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b",
"embedCode": "<a href=\"https://apviso.com/badge/019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b\" target=\"_blank\"><img src=\"https://apviso.com/badge/019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b/image\" alt=\"Secured by APVISO\" width=\"150\" /></a>",
"style": "light",
"showScore": true,
"showFrameworks": [
"owasp-top-10-2021",
"soc2-type2"
],
"lastScanDate": "2026-04-10",
"createdAt": "2026-04-01T12:00:00Z",
"updatedAt": "2026-04-10T11:10:00Z"
}/v1/comply/targets/:targetId/badgeCreate or update trust badge
Create or update the trust badge configuration for a target. Configure the badge style, whether to show the compliance score, and which frameworks to display. The badge automatically updates when new scan results are available.
Path Parameters
| Name | Type | Description |
|---|---|---|
targetIdrequired | string | Target ID (UUIDv7) |
Request Body
| Name | Type | Description |
|---|---|---|
style | stringlightdarkminimal | Badge visual style |
showScore | boolean | Whether to display the numerical compliance score on the badge |
showFrameworks | string[] | Framework IDs to display on the badge. An empty array hides framework details |
Example Request
curl -X PUT "https://apviso.com/api/v1/v1/comply/targets/:targetId/badge" \
-H "X-API-Key: apvk_your_key_here" \
-H "Content-Type: application/json" \
-d '{
"style": "dark",
"showScore": true,
"showFrameworks": [
"owasp-top-10-2021",
"soc2-type2",
"pci-dss-4"
]
}'Response
Returns the updated trust badge configuration with the embed code.
{
"targetId": "019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b",
"enabled": true,
"badgeUrl": "https://apviso.com/badge/019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b",
"embedCode": "<a href=\"https://apviso.com/badge/019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b\" target=\"_blank\"><img src=\"https://apviso.com/badge/019414a8-f7c0-7d4a-b5e3-9c2d1e8f4a6b/image\" alt=\"Secured by APVISO\" width=\"150\" /></a>",
"style": "dark",
"showScore": true,
"showFrameworks": [
"owasp-top-10-2021",
"soc2-type2",
"pci-dss-4"
],
"lastScanDate": "2026-04-10",
"createdAt": "2026-04-01T12:00:00Z",
"updatedAt": "2026-04-10T17:15:33Z"
}/v1/comply/targets/:targetId/badgeDelete trust badge
Delete the trust badge for a target. The badge URL will immediately return a 404, so make sure to remove the embed code from your website first.
Path Parameters
| Name | Type | Description |
|---|---|---|
targetIdrequired | string | Target ID (UUIDv7) |
Example Request
curl -X DELETE "https://apviso.com/api/v1/v1/comply/targets/:targetId/badge" \
-H "X-API-Key: apvk_your_key_here"Response
Returns a confirmation message. The badge URL is immediately deactivated.
{
"message": "Trust badge deleted successfully"
}